How does it work?

To understand it, we need to look at the bigger picture. In order for DKIM to work, a domain owner needs to create a pair of keys:

a private key used to encode the message. This should be kept secret, and is often shared with an ESP so they can send emails on behalf of that domain. Using this key, a verification code is generated and included in the email – the DKIM signature.

a public key which anyone can access from the DNS (Domain Name System, more on this next week). This key is used to decode the message and verify that the email was indeed created by someone who has the matching private key.

Think of it as similar to the medieval practice of using a wax seal on a note. It was easy to show everyone your seal, make it public so it could be recognised. People receiving a note from you could check the seal matched yours to confirm it was from you. But it was difficult for someone to create an exact copy of your seal and pretend to be you.

Why should email marketers care?

Spammers sometimes forge ‘From’ addresses. So the receiver might get an email from you@yourdomain.com when it wasn’t actually sent from that email address. And because it’s spam, the receiver will lose trust in you as a sender and mark the message as spam. But if you have created the private and public keys, the spoof email sent by the spammer won’t have the DKIM signature in it, so the email will be rejected as not genuine.